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[57] ABSTRACT 

A method and apparatus for generating additional implicit 
keys from a key [Kyk without the necessity of generating a 
new Diffie-Helman (DH) certificate or requiring communi- 
cation between nodes to change implicit master keys is 
disclosed. A first data processing device (node I) is coupled 
to a private network which is in turn coupled to the Internet. 
A second data processing device (node J) is coupled to the 
same, or to a different network, which is also coupled to the 
Internet, such that node I communicates with node J using 
the Internet protocol. Node I is provided with a secret value 
i and a public value. Data packets (referred to as 
"datagrams") are encrypted to enhance network security. 
Each node maintains an internal value of N which is 
incremented based on time and upon the receipt of a data 
packet from another node. The key [K^]^ is derived from 
the appropriate quantity of by using high order key- 
sized bits of the respective quantity. The present invention 
then utilizes the key [K^ to encrypt a transient key which 
is referred to as K^. Node I encrypts the IP data in Kp and 
encrypts Kp in [K,^. Node I transmits the encrypted IP 
datagram packet in the encrypted key to the receiving 
node J. Node I further includes its current internal value of 
N, in the outgoing packet. The present invention also pro- 
vides for the application of one-way functions to the shared 
secret to enhance security. Thus, either node I or node J may 
change the context such that if in the future [K^,- is 
compromised, or is not useable by a cracker to either decrypt 
prior encrypted packets. The present invention discloses 
methods and apparatus for achieving perfect forward secu- 
rity for closed user groups, and for the application of the 
SKIP methodology to datagram multicast protocols. 

10 Claims, 8 Drawing Sheets 




03/03/2004, EAST Version: 1.4.1 



U.S. Patent 



Feb. 15, 2000 



Sheet 1 of 8 



6,026,167 



FIG. 1 



15 



□□□□□□□□□□□□ □□□ 

□□□□□□□□□□□a □□□ 
□□□□□□□□□□an □□□ 

□□a zjdqd □□□ 



12 w 





TO 

NEJWORK 




03/03/2004, EAST version: 1.4.1 



U.S. Patent Feb. 15, 2000 Sheet 2 of 8 



FIG. 



NODE I SENDING 
PACKET (P) TO MODE J 




OBTAIN J'S DM CERTIFICATE, VERIFY 
IT AND CACHE D-H PUBLIC 
VALUE FOR J 



COMPUTE [K i j]^. k 
CACHE FOR LATER USE 



GENERATE RANDOM Kp, IF 
LAST Kp ALREADY USED TO OFTEN 

» 

.ENCRYPT PACKET IN 
Kp. ENCRYPT Kp IN [K;j]^ 

SEND ENCRYPTED PKT & 
ENCRYPTED Kp TO J 



03/03/2004, EAST Version: 1.4.1 



U.S. Patent 




Feb. 15, 2000 Sheet 3 of 8 
START 



6,026,167 



TIME TO CHANGE 




\ Nj 







RECEIVE PACKET 
ENCRYPTED IN 
MjlN f 




©(SEE FIGURE 
5(A)) 





NO 


OBTAIN D-H 
FOR NODE 1, VL 
DH PUBUC 
& CAi 


CERTIFICATE 
7P//T <* EXTRACT 
VALUE FOR I 
WE IT 



FIG. 4(A) 




03/03/2004, EAST Version: 1.4.1 



U.S. Patent 



Feb. 15, 2000 



Sheet 4 of 8 



6,026,167 



® 



DECRYPT 
Kp USING [Kijfo. 

DECRYPT PACKET (p) 
USING Kp 




DISCARD PKT 



DO NORMAL 
PACKET PROCESSING 
WITH DECRYPTED 
PACKET 



FIG. 4(B) 




03/03/2004, EAST Version: 1.4.1 



U.S. Patent Feb. 15, 2000 Sheet 5 of 8 6,026,167 



(FROM Q} 
FIGURE 4(A))- 




NODE J RECEIVING PACKET (P) 
FROM NODE! 



YES 



YES 



NO: :.[N f =Nj] 




OBTAIN D-H CERTIFICATE 
FOR NODE I VERIFY & EXTRACT 
DH PUBUC VALUE FOR I 
& CACHE IT 



SEE FIG. 4(A) 
FOR CASE Nj>Nj 



DISCARD PKT P 






SEND 
PKT TO 

in im 


ERROR 
NODE I 
1 "Nj" 




END 



FIG. 5(A) 



03/03/2004, EAST version: 1.4.1 



U.S. Patent 



Feb. 15, 2000 



Sheet 6 of 8 



6,026,167 



® 



® 



COMPUTE 
& 



CACHE FOR IATER USE 



DECRYPT I 
Kp USII 

DECRYPT i 

K 


9ICRYPTED 

» /¥/// 

PKT USING 
P 






DO A/I 
PACKET PI 
WITH DECR 


ORMAL 
ACCESSING 
•YPTED PKT 




END 



FIG. 5(B) 



03/03/2004, east version: 1.4.1 



U.S. Patent 



Feb. 15,2000 



Sbeet 7 of 8 



6,026,167 



ft 




Si- 

to 



§8 

§3 



8§ 



03/03/2004, EAST Version: 1.4.1 



U.S. Patent 



Feb. IS, 2000 



Sheet 8 of 8 



6,026,167 




FIG. 7 



PRECOMPUTE ALL 
SHARED SECRETS 
FOR EACH CLOSED 
GROUP NODE 



DELETE j 
(J'S DH SECRET) 




03/03/2004, EAST Version: 1.4.1 



6,026,167 

1 2 

METHOD AND APPARATUS FOR SENDING interject himself between, for example, a user "A" in com- 

SECURE DATAGRAM MULTICASTS muai cation with a user "B" on the Interact, and issue a 

disconnect command to user A. Upon receipt of the discon- 

This Application is a a continuation-in-part of U.S. patent nect command from the cracker, user A believes that user B 

applicatioo Ser. No. 08/348,725, now U.S. Pat. No. 5,668, 5 has severed the connection. The cracker may then take over 

877, issued Sep. 16, 1997, filed Dec. 2, 1994, entitled the communication established with user B such that user B 

"METHOD AND APPARATUS FOR STEPPING PAIR does not know ma , 1 useT 15 1,01 sendm S him ^ P ackets " 

KEYS IN A KEY MANAGEMENT SCHEME, FOR ^ ' 1 number of 1551265 J™? w * e , n xn(h ^ 

ACHIEVING PERFECT FORWARD SECRECY IN over me mtemet, mcluding a cracker s abdity to momtor 

CLOSED USER GROUPS, AND FOR SENDING DATA- 10 data P ackets . lD ,. the clear and to interject himself in the 

GRAM MULTICASTS," which a continuation-in-part of communication line such that he may receive and send data 

U.S. patent application Ser. No. 08/258,272, filed Jun. 10, P**etsto unwitting users. It is, therefore, advantageous to 
1994, entitled "A KEY-MANAGEMENT SCHEME FOR authenaciy and privacy features at the network layer on 

DATAGRAM PROTOCOLS", now U.S. Pat. No. 5,588, me Internet. However, the majority of the pnvacy and 

060, issued Dec. 24, 1996 and Ser. No. 08/258,344, filed Jun. is authentication protocols which have b«n proposed provide 

10, 1994, Ventitled "METHOD AND APPARATUS FOR 56551011 r on l entcd ke y management schemes. Unfortunately, 

KEY-MANAGEMENT SCHEME FOR USE WITH many of me «>mmonly used network layer protocols are 

INTERNET PROTOCOLS AT SITE FIREWALLS", now session-less datagram oriented protocols. 
U.S. Pat. No. 5,416,842, issued May 16, 1995 both filed Jun. In *** Applicant's co-pending parent U.S. patent applica- 

10, 1994, which are incorporated fully herein by reference, 20 ti°ns of which this U.S. patent is a continuation-in-part, a 

assigned to the Assignee, Sun Microsystems, Inc., and simple key management scheme (referred to as "SKIP 1 ) was 

referred to herein as the "parent applications". disclosed for use in session-less datagram protocols. In the 

SKIP scheme, a first data processing device (node I) is 

BACKGROUND OF THE INVENTION coupled to a private network which is in turn coupled to the 

1 t- u <■.». T Internet. Asecond data processing device (node J) is coupled 

1. Field of the Invention . . ^ ir . „ i u- u ■ i i a 

„ , to the same, or to a different network, which is also coupled 

fhe present invention relates to the field of key manage- lQ me ]mm ^ such lna( node , to node j 

ment schemes, and more particularlyj^ pr^invenUon> ^ the , mernet ^ ( „ IF% Node j ^ ided ^ 

^^Z^y~mB^m-«^.foi-^^ working a ^ vaIue u md a Mc vahie . mod Node j fc 

protocols to provide additional security at the network layer. 3o pmvidcd ^ a stcttt value jf ^ a public value / mod p . 

2. Art Background D ata packets (referred to as "datagrams") are encrypted 
The Internet comprises a spiderweb of connected net- using the teachings of the present invention to enhance 

works which criss-cross the globe and permit users to send network security. A source node I obtains a Diffie-Helman 

and receive data packets between computers. Although (DH) certificate for node J (either from a local cache, from 

many of the computers coupled to the Internet are disposed 3S a directory service, or directly from node J), and obtains 

at fixed locations, portable computer systems may be physi- node J's public value * mod p from the DH certificate, 

cally moved from one location on a network to another. Node I then computes the value of *' mod p, and derives a 

Wireless links coupling the computers to the Internet, key K, y from the value ,y mod p. A transient key Kp is 

including direct satellite links, also allow users to access the generated at random and is used to encrypt the datagram to 

Internet from remote areas. As a result of the dramatic ^ be sent by node I. The key K^ is used for a configurable 

increase in the use of the Internet throughout the world, number of bytes, which is the maximum number of bytes the 

concerns regarding network security naturally arise. node will eucrypl using Kp. The key K^, is then encrypted 

A variety of schemes have been proposed to increase with key K, y . 
security on the Internet, and a number of these schemes have Upon receipt of the encrypted datagram by the receiving 

been adopted. For example, encryption and authentication 45 node J, the node J obtains a DH certificate for node I (either 

procedures known as Privacy Enhanced Mail (PEM) provide from a local cache, from a directory service or directly from 

for enhanced privacy in electronic mail ("e-mail") services node J) and obtains the public value ' mod p. Node J then 

over the Internet. Additionally, schemes for utilizing PEM computes the value of i} mod p and derives the key K,y. 

for secure remote user authentication have also been pro- Node J utilizes the key K,y to decrypt the transient key K^, 

posed. (See, for example, copending U.S. patent application 50 and using the decrypted transient key Kp, node J decrypts the 

Ser. No. 08/253,802, filed Jun. 3, 1994, entitled "METHOD datagram packet, thereby resulting in the original data in 

AND APPARATUS FOR SECURE REMOTE USER unencrypted form. 

AUTHENTICATION IN A PUBLIC NETWORK", One aspect of the SKIP scheme disclosed in my 

assigned to the Assignee of this patent application, Sun co-pending parent application is that K, y stays constant until 

Microsystems, Inc., and hereby incorporated fully by 55 the DH certificate changes. Depending on the environment, 

reference.) obtaining a new DH certificate may result in system perfor- 

However, even if a remote user has been authenticated, mance degradation. As will be described, the present inven- 

there still exists the possibility that an intruder (herein tion discloses a method and apparatus for generating other 

referred to as a "cracker") may mount an active attack to implicit keys from K, y , without the necessity of generating a 

interject himself in data transfers across the Internet. 60 new DH certificate or requiring any communication between 

Although a user may incorporate a scheme for secure remote node I and J to change keys. Using the teachings of the 

user authentication prior to login, a cracker may sever one present invention, one secret may be used to generate 

of the authenticated parties from the Internet connection, and literally millions of secret keys by stepping the context, 

receive and transmit substitute data packets to the other where a context is defined by an implicit interchange key. In 

unwitting party (or potentially to both parties). Once the 65 addition, the present invention provides methods and appa- 

Interaet connection is established, data packets are sent over ralus for achieving perfect forward secrecy in closed user 

the network in the clear. For example, a cracker may groups, through the application of one-way functions to the 
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implicit pair-wise secrets for each node. Moreover, the 
present invention discloses an improved application of SKIP 
for datagram multicasts. 

SUMMARY OF THE INVENTION 

The present.invention.provides.an improved simple key 
r mana£er ^ ms^eme^(SKIP^ ^ayi n fi partic^ar application to 
^^lagrainT^^ protocol (IP). 

In one embodiment, the present invention-discloses a 
method and apparatus for generating additional implicit keys 
from a key [Kyk without the necessity of generating a new 
Diffie-Helman (DH) certificate or requiring any communi- 
cation between nodes to change keys. A first data processing 



10 



not have the public key, it obtains a DH certificate for node 
I and verifies and extracts a DH public value for node I. 
Node J then computes the value of [K,-,]^ and decrypts the 
packet using [K,^ and Kp. If the packet is valid, the value 
of Nj is set equal to N ( . If, however, node J determines that 
the value of N, is less than node J's internal value N y -, the data 
packet is considered to be invalid and discarded. If N, is 
equal to N ; , node J determines if it is a cached and verified 
DH public key for node I. As in the prior case, if node J docs 
not have a cached and verified DH public key for node I, 
node J proceeds to obtain the DH certificate for node I and 
extracts the DH public value for node I. The value of [K^]^ 
is then determined and cached for later use. Node J then 
proceeds to decrypt the encrypted value of K in the received 



device (node I) is coupled to a private network which is in „ daU packet ^ r^i and deC rypts the fp data utilizing 
turn coupled to the Internet. Asecond data processing device v 1 1 



l coupled to the Internet. Asecond data processing 
(node J) is coupled to the same, or to a different network, 
which is also coupled to the Internet, such that node I 
communicates with node J using the Internet protocol. Node 
I is provided with a secret value i and a public value which 
in one embodiment takes the form ' mod p. Data packets 
(referred to as "datagrams") are encrypted using the teach- 
ings of the present invention to enhance network security. A 
source node I obtains a DH certificate for node J and obtains 
node J's public value 1 mod p from the DH certificate. 
Node I then computes the vahie of, in one embodiment Nii 
mod p, and derives a key [K^ from the value mod p 
(or alternatively, iM ^ IJ mod p, where M=2, 3, . . . and N=0, 
1,2...). Each node maintains an internal value of N which 



The present invention further provides for the application 
of one-way functions to the shared secret to enhance secu- 
rity. It has been found that forward security may be obtained 
20 through the generation of an implicit pair-wise secret having 
the value (J ^' mod p. In the present invention, the value 
of M is equal to 2, however other mte gcjsjnay^ajsojteused. 
^Thusrif the vahie [K^J^is compromised at^any point^either 
node-I=orjaode J may-change^ttie" context" such|thallthe^ 
25 rcomprolmis^d^i^ _b y-a-cracker~ to~etther 
decrypt pnoTp^fe^^^^^packets sent over the Interi^t. 
In addition, the presenfuTvemioTfurther provides methods 
and apparatus for achieving perfect forward security for 
closed user groups. Each node in a closed user group 



is incremented based on tune and upon the receipt of a data , n t £ , , (2 *S/, . v c & . i 

, f . j t .u | p • precomputes all shared secrets (e.g., ^ w mod p) for each 

packet from another node. In the presently preferred , j u \ b ' u j i . ■„ 



embodiment, the value N is stored within the Security 
Association ID (SAID) field of an Internet specification of 
the IP Security Protocol (IPSP) defined by the Internet 
Engineering Task Force. 

The key [K,-,]^ is derived from the appropriate quantity of 
m * by using low order key-sized bits of the respective 
quantity. The present invention then utilizes the key [K^]^ 
to encrypt a transient key which is referred to as iC,. The key 



closed group node. Each node then deletes its secret 
(i, j, . . . , etc.). As the value of N is incremented, each node 
may compute [K,-^ for any value of N without the need to 
recalculate the shared secret. Upon receipt of a data packet 
35 in the context (for a datagram transmitted, for example, 
by node I), a receiving node J computes [K, y ]^ and decrypts 
the data packet using Kp. Since it is not necessary to 
compute the implicit shared secret between the nodes in the 
closed user group, perfect forward secrecy is achieved since 



Kp is used for a configurable number of bytes, which is the 40 a cracker's discovery of the value of [ICX , and thereby the 



maximum number of bytes the node will encrypt using K^. 
The key Kp is then encrypted with the key [K^. The first 
time a transmitting node I communicates with node J, the 
node computes the shared secret M/ mod p. The value of N 
is initially set by each node to be equal to 1 (or for the 
case, N is initially set to 0), and incremented based on time 
and updated using the value of N stored in received packets. 
To calculate Ni/ mod p, node I must determine if it has a 
cached authenticated public DH key for node J. If it does not 



45 



value for a particular N of mod p, will not assist in 
decrypting packets encrypted in contexts earlier than N,. 

The present invention further provides an improved appli- 
cation of the SKIP methodology to datagram multicast 
protocols. Where secure multicasting to a multicast address 
M is required, a group membership creation primitive estab- 
lishes the group key K g and the membership list of addresses 
that are permitted to transmit and receive datagrams to and 
from address M. In the case of multicasts, the group key K g 



have this DH key it must obtain J'sDH certificate, verify the 50 * nol ^ ^ a packet encryption key, but rather as a group* 
DH certificate and cache node J s DH public value. If node mterchange key (GIK ). k is therefore used as a key 

I has a cached [K^ key, and a cached authenticated public - - ■ ■- - ■* 

DH key for node J, node I then generates a random key Kp 

and encrypts this key using [K^. Node I then encrypts the ^ ^ 

IP data in Kp and encrypts K,' in [K,^. Node I then 55 Z^teGlK: K g % the presendy ^refeaed embcSimem, 



encrypting key similar to the way in which pair keys [K^Xy 
are used in SKIP for unicast methodologies. Nodes wishing 
to encrypt and decrypt datagrams to the multicast address M 



transmits the encrypted IP datagram packet in the encrypted 
key Ky to the receiving node J. Node I further includes its 
current internal value of N,- in SAID bytes of the outgoing 
packet. 



the acquisition of group interchange key is accomplished by 
sending an encrypted request to join to the group owner. If 
the requesting nodes address is part of the group authorized 
membership list, the group owner then sends the GIK to the 



The receiving node J initially sets its internal value of N y 60 rcques ting node. The currently envisioned application of the 



as a variable equal to 1. The internal value of N, is incre- 
mented by 1 based on elapsed time as well as by the receipt 
of a data packet. Upon receipt of the encrypted data packet 
from node I, the internal value of N, is compared to the value 
of N,- in the SAID field of the received packet If N f is greater 65 
than node J's internal value N,, node J determines if it has 
a cached and verified public key for node I. If node J does 



present invention's improved datagram multicast protocol is 
further described with reference to an Internet standard 
proposed by the inventor of this patent. 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 illustrates a data processing system incorporating 
the teachings of the present invention. 
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FIG. 2 diagrammatically illustrates one possible network 
scheme using the teachings of the invention in an Internet 
environment. 

FIG. 3 illustrates a flow chart of the steps executed in 
sending an encrypted data packet from a network node I to 
a network node J, in accordance with the teachings of the 
present invention. 

FIGS. 4(a) and Mb) are flow charts of the steps executed 
by each node to change the value of the variable N in the 
calculation of [K^lv and to decrypt a data packet where 

FIGS. 5(a) and 5(b) are flow charts of the steps executed 
for the receipt of encrypted data packets by node J from node 
I where N-N,. and N ( .<N ; .. 

FIG. 6 diagrammatically illustrates the transmission for- 
mat of an encrypted datagram. 

FIG. 7 is a flow chart of the steps executed by the present 
invention to achieve perfect forward secrecy for closed user 
groups. 

Notation and Nomenclature 

The detailed descriptions which follow are presented 
largely in terms of symbolic representations of operations of 
data processing devices coupled to a network. These process 
descriptions and representations are the means used by those 
skilled in the data processing arts to most effectively convey 
the substance of their work to others skilled in the art. 

An algorithm is here, and generally, conceived to be a 
self-consistent sequence of steps leading to a desired result. 
These steps are those requiring physical manipulations of 
physical quantities. Usually, though not necessarily, these 
quantities may take the form of electrical or magnetic 
signals capable of being stored, transferred, combined, 
compared, displayed and otherwise manipulated. It proves 
convenient at limes, principally for reasons of common 
usage, to refer to these signals as bits, values, elements, 
symbols, operations, messages, terms, numbers, or the like. 
It should be borne in mind, however, that all of these similar 
terms are to be associated with the appropriate physical 
quantities and arc merely convenient labels applied to these 
quantities. 

In the present invention, the operations referred to are 
machine operations. Useful machines for performing the 
operations of the present invention include general purpose 
digital computers (referred herein as "nodes"), or other 
similar devices. In all cases, the reader is advised to keep in 
mind the distinction between the method operations of 
operating a computer and the method of computation itself. 
The, present invention-relates to method steps for operating 
[& computer, co up jedjo ^seri 

electrical -orother physical signals to generate other desired 
physical signals. 

The present invention also relates to apparatus for per- 
forming these operations. This apparatus may be specially 
constructed for the required purposes or it may comprise a 
general purpose computer selectively activated or reconfig- 
ured by a computer program stored in the computer. The 
method/process steps presented herein are not inherently 
related to any particular computer or other apparatus. Vari- 
ous general purpose machines may be used with programs in 
accordance with the teachings herein, or it may prove more 
convenient to construct specialized apparatus to perform the 
required method steps. The required structure for a variety of 
these machines will be apparent from the description given 
below. 



,167 
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DETAILED DESCRIPTION OF THE 
INVENTION 

In the following description, numerous specific details are 
set forth such as system and network configurations, repre- 
sentative data packets, messages, and devices, etc., to pro- 
vide a thorough understanding of the present invention. 
However, it will be apparent to one skilled in the art that the 
present invention may be practiced without these specific 
details. In other instances, well known circuits and structures 
are not described in detail in order to not obscure the present 
invention. Moreover, certain terms such as "knows", 
"verifies", "examines", "utilizes", "finds", "determines", 
"challenges", "authenticates", etc., are used in this Specifi- 
cation and are considered to be terms of art. The use of these 
terms, which to a casual reader may be considered personi- 
fications of computer or electronic systems, refers to the 
functions of the system as having human-like attributes, for 
simplicity. For example, a reference herein to an electronic 
system as "determining" something is simply a shorthand 
method of describing that the electronic system has been 
programmed or otherwise modified in accordance with the 
teachings herein. The reader is cautioned not to confuse the 
functions described with everyday human attributes. These 
functions are machine functions in every sense. 

Exemplary Hardware 

FIG. 1 illustrates a data processing system in accordance 
with the teachings of the present invention. Shown is a 

, computer 10, which comprises three major components. The 
first of these is an input/output (I/O) circuit 12 which is used 
to communicate information in appropriately structured 
form to and from other portions of the computer 10. In 
addition, computer 10 includes a central processing (CPU) 
13 coupled to the I/O circuit 12 and a memory 14. These 
elements are those typically found in most general purpose 
computers and, in fact, computer 10 is intended to be 
representative of a broad category of data processing 
devices. Also shown is an interface circuit 17 coupled to the 

, I/O circuit 12 for coupling the computer 10 to a network, in 
accordance with the teachings herein. The interface circuit 
17 may include encrypting and decrypting circuitry incor- 
porating the present invention, or as will be appreciated, the 
present invention may be implemented in software executed 

; by computer 10. A raster display monitor 16 is shown 
coupled to the I/O circuit 12 and issued to display images 
generated by CPU 13 in accordance with the present inven- 
tion. Any well known variety of cathode ray tube (CRT) or 
other type of display may be utilized as display 16. 

i Referring now to FIG. 2, a simplified diagram conceptu- 
ally illustrates the Internet 20 coupled to a private network 
22, a second private network 26, and a third private network 
30. The network topology illustrated in FIG. 2 is represen- 
tative of the existing Internetjopology.Jhowever, it will be 
55 noted that.the-prescnt invention provides an improved key g$> 
rmanagement scheme which has application for use in net*j-^ 

Cwoiks.otherjhan the: internet" $ 

One of the uniquVaspectsof the' Internet system is that 
messages and data are transmitted through the use of data- 
60 gram packets. In a datagram-based network, messages are 
sent from a source to a destination in a similar manner to a 
government mail system. For example, a source computer 
may send a datagram packet to a destination computer 
regardless of whether or not the destination computer is 
65 currently on-line and coupled to the network. The Internet 
protocol (IP) is completely session-less, such that IP data- 
gram packets are not associated with one another. 
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In this Specification, the present invention will be carry the packet encryption key encrypted in the recipient's 

described with reference to communication between a node public key in every packet. Since an RSA encrypted key 

I coupled to private network 22, and a node J coupled to the would minimally need to be 64 bytes, and can be 128 bytes, 

private network 30, as shown in FIG. 2. The nodes I and J this scheme incurs the overhead of 64-128 bytes of keying 

represent computers, such as the computer illustrated in FIG. 5 information in every packet. In addition, when the packet 

1, coupled to their respective networks. For simplicity and encryption key changes, a public key operation would need 

ease of understanding, an operation by, for example, "node to be performed to recover the new packet encryption key. 

I", shall be understood to mean an operation by the computer Thus, both the protocol and computational overhead of such 

coupled to network 22. It will also be noted that although a scheme is high. 

FIG. 2 represents nodes I and_J_as^intermediate_or_end user 10 As disclosed in my parent applications, the use of Diffie- 

CcomputorsTThaTthe present invention may also be applied to Hellman (DH) public-key certificates avoids the pseudo 

firewalls; In such event, nodes t and J would represent session state establishment, and the communications 

firewall machines coupled between .their, respective net* requirement between the two communicating computers to 

works and the Internet 20.,For a de^ript?onWufe%plica^ acmjire and chan e e P ackel encrypting keys (see, W. Diffie, 

..fion of-SKTF to site fireballs ,, the' reader is referred to my „ M - Hellman, "New Directions in Cryptography", IEEE 

co^ndinilaleiap^ic^n Scr. No^7258344^Tled T 5 an ! 1 a 1 f 0 ^ °" Info ™ Uon TJnawy)- Furthermore, the use 

Jun. 10, 1994, entitled "METHOD AND APPARATUS FOR of a *? H pubhe-key cemficate does not incur the overhead of 

KEY- MANAGEMENT SCHEME FOR USE WITH canymg J^128 bytes of keying ^formation in every 

INTERNET PROTOCOLS TO SITE FIREWALLS". S^^^^^S^?£^™hSS 

does not require the receiving computer to be operational to 

As described in my co-pending parent application, and 20 establish and packe , enC rypting keys, 

incorporated herein by reference, one way to obtain authen- Referring now t0 th c flowcharts illustrated in FIGS,, 3 and 
ticity and privacy at a datagram layer is to use RSA public 4,Tth e presen tlnvention utilizes DH public-key certificates 
key certificates. Traditionally, in the event node I desires to fo } key maDag y£ m ent, such that each IP source and destin^ 
send a datagram to, for example, node J, the node I com- <-tion is 1 provided with a Diffie-Hellman public kSyfThis-DH 
municates with node J and authenticates itself using a 25 f pubhc^y_is_distributed-in-the-form-of ^certificate. The 
certificate based key management infrastructure. An certificate can be signed using either an RSA or DSA 
example of a certificate based infrastructure key manage- signature algorithm. The certificate is referred to herein as a 
ment for secure Internet e-mail is the Privacy Enhanced Mail "Diffie-Hellman" (DH) certificate, because the public value 
(PEM) system (see the PEM RFC documents filed concur- that is certified is a Diffie-Hellman public value, 
rent with the Application upon which this patent is based, 30 It will be appreciated that the present invention's use of 
and incorporated herein by reference, entitled "Privacy DH certificates to compute a shared key is fundamentally 
Enhancement for Internet Electronic Mail", parts 1-IV rfes different than the use of the DH certificate to negotiate a 
1421-1424, available on the Internet). session key, for example, as described in the paper by 

The certificates used by PEM are RSA public key certifi- Whitfield DifEe, entitled "Authentication and Authenticated 
cates. An RSA public key certificate is one which contains 35 Key Exchanges" (Kluwer Academic Publishers, 1992), 
an RSA public key. (See, A. Aziz, W. DifEe, "Privacy and because the present invention uses a zero-message protocol 
Authentication for Wireless LANs", IEEE Personal to compute a shared secret. All past uses of DH certificates 
Communications, February 1994; and also, W. DifEe, M. have involved exchanging messages between the two corn- 
Wiener, P. Oorschot, "Authentication and Authenticated Key municating parties. 

Exchanges".) There are two primary ways in which RSA 40 As will be described ,fthe present invention discloses ai 
certificates can be used to provide authenticity and privacy improved~method~and~apparatus for generating additional 
for a datagram protocol. The first way is to use out-of-band [—implicit interchange keys for use with the SKIP scheme 
establishment of an authenticated session key, using one of U previously disclosed in the applicant's copending ^parent 
several s ession k e y establis hment protocoLs^This session key ^applications of_jhis^continualion-in-part--applicatidh. For 
pcan ttien be used to encrypt IPdata trafSc^Such a scheme has 45 purposes~oflhis Specification, a "context" is an implicit 
lhe~disad vantage of establishing~and"mainlaining a pseudo interchange key, where an interchange key is a key which is 
session state on top of a session-less protocol. The IP source used to encrypt other keys, as opposed to a traffic key. For 
must first communicate with the IP destination to acquire example, in the parent applications K, y was considered the 
this session key. In addition, when the session key must to interchange key. Accordingly, it is desirable to step the 
be changed to insure security, the IP source and the IP 50 interchange key creating new additional interchange keys, 
destination need to communicate again to effectuate the thereby creating further secrets from the original implicit 
change. Each such communication involves the use of a pair- wise interchange key generated. In accordance with the 
computationally expensive public-key operation. This com- origin al teachin gs in the pjjxeiH_applications t j-upon— ^ 
munication requirement is particularly ill-suited to a data- ^initialization, eactf IP source or destin ation c omputer, for_^ 
gram protocol like IP, which does not require the receiving 55 !example~node I, is provided with a ijetrervalueTi, an9) 
computer to be in operation to send packets to it, although computes a public value * mod ^ySimilarIyrnode""J"is 
to establish and change negotiated session keys the receiving provided :wittra secret value j, and computesTpublicvfilue 
computer must be operational. (^m od p. For pun>osgs^f- Ulustratio n,-assume:mat;node I 

The second way an RSA certificate can be used to provide wishes to communicate to node J coupled to private network 
authenticity and privacy in a datagram protocol is to com- 60(30^ in FIG.,2.— As-previously^described in the parent 
plete in-band signalling of the packet encryption key, such applications, both I and J can acquire a shared secret mod 
that the packet encryption key is encrypted in the recipient's p without having to communicate, so long as thc public key 
public key. This is the method PEM utilizes to accomplish of each IP node is known to all other IP nodes. The values 
message encryption. Although this avoids the session state and p are system parameters, where p is a prime number, 
establishment requirement, and also does not require the two 65 It wilt be appreciated by one skilled in the art that local 
parties to communicate to set up and change packet encryp- caching of DH certificates can eliminate the constant need 
tion keys, this scheme has the disadvantage of having to for directory service, thereby minimizing system overhead. 
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One improvement of ihe present invention is to create 
additional shared secrets of 9 mod p. Utilizing the SKIP 
scheme, the computable shared secret is used as a key 
encrypting key to.provide for IP packet based authentication 
and encryption. TnttsT' y mod p was'define' d ig'th e original 
SKIP scheme'asla^lorig 1 ^ term 4 lce)^^)|ffi^^^g^J^as 
derived from this long, term keyjfThe k^y'K^^^ea^as^the 
ikey for-a'kflo^^ as^ 
tDES^or-RGZ^C^xonstitutes an implicit pair-wise share 



described, the value of N is an internal value which is 
initially set by each node to be equal to 1, and incremented 
based on time and updated using the value of N stored in 
received packets. In the presently preferred embodiment of 
the invention, the value N is disposed within a field identi- 
fied as the Security Association ID ("SAID") in a Specifi- 
cation of IP Security Protocol (IPSP) defined by the Internet 
Engineering Task Force. The SAID field includes user 
definable bytes which the present invention utilizes to trans- 



S^m^jxy t , . . . . . . mit the value of N. However, it will be appreciated that a 

Osecre^nce.Kjdoes not need to be sent m every packet or ,„ of mechanisms mav * utilized lo the vahie 



negotiated out of band. Simply by examining the source of 
an IP packet, the destination IP node (for example node J) 
may compute the shared secret K^. 

As disclosed herein, the successive application of a func- 
tion to the value i} mod p results in the creation of 
additional implicit pair- wise shared secrets without the 
necessity of communicating the shared secret between nodes 
I and J or obtaining a new DH certificate. 

In this Specification, the value [K,ylv denotes the Nth } r 



variety of mechanisms may I 
of N, and that the use of the SAID field is only one 
mechanism of many. 

Referring now to FIG. 3, the sequence of steps utilized by 
the present invention to encrypt and transmit a packet is 
illustrated. As shown, a transmitting node I initially sets an 
internal value of N,-ta'i '(br^N^A for the (M ™ case), and 
determines whether or not node I has a previously cached 
[K^Jv^kcyrTne' first 'time an IP, source, such as node I, which 
has been provided wi^the; secret ; value i, communicates 



implicit key, where N is indicated in the received packet, as ! 20 ! P ndde^whichlias b^n provided with the secret 



will be described more fully below. Additionally, the quan- 
tity [Kyly may be determined by evaluating the quantity m > 
mod p where N-l, 2, . . . , or alternatively, mod p; 
where N-0, 1,2 ... Z, and M=2,3,4 ... y. As in the original 
SKIP scheme which is the subject of my parent applications, 
the key [K,^ is derived from the appropriate quantity of 
Nij mod p (or f***) 1 ' mod p) by using low order key size 
bits of the respective quantity. The way in which is 
computed is by a simple extrapolation of the DH scheme. 
Each node computes ( y 1 - w , and in turn raise it to its 
secret ( °y~ In this Specification, it will be appreci- 
ated that the present invention may be realized using either 
Nii mod p, or alternatively, {A/t)ii . The use of {1 ^ yi mod 
p provides additional security, and as will be described, 
forward secrecy. N is a number that is stored on a pairwise 
basis in each node. The value of N may be different for 
different nodes, J, K, . . . , etc. 

Since Nij mod p is minimally at least 512 bytes (and for 



value j, the^npde I computes the shared secret ^-Imod p. 
To calculate ^ mod p, node I must determine if it has a 
cached authenticated public DH key,,for noderJrlf^node I 




As illustrated in FIG. 3, if node I has a cached [K,-^ key, 
and a cached authenticated public DH key for node J, these 
3 0 steps are not repeated. Node I then generates a random key 
Kp and encrypts this key using [K^. Node I then encrypts 
the IP packet data in Kp, and encrypts Kp in [K^. Node I 
then transmits the encrypted IP datagram packet and the 
encrypted key Kp to the receiving node J. Node I further 
35 includes its current internal value of N, in the SAID field of 
the outgoing packet. The outgoing datagram packet sent by 
the source node I takes the form illustrated in FIG. 6. 
Referring now to FIGS. 4(a), 4(6) and 5, the steps for 



receiving and decrypting the data packet sent by node I to 
greater security may be 1024 bytes or higher), sufficient ^ Dodc j wju be described. As shown in FIG. 4(a), the 



bytes may be derived for use as K,y used as a key for the 
SKCS. Typically, SKCS key sizes are in the range of 40-172 
bits. 

As provided by the SKIP scheme, the present invention 



receiving node J initially sets its internal value of N ; . as an 
variable which is changed internally, or upon the receipt of 
a valid encrypted package. For example, as shown in FIG. 
4(a) after a predetermined time the internal value of N y in 



then utilizes the key [K^ to encrypt a "transient key", 45 node J is incremented by Ny+1. The incrementing of N is 



which is referred to as Kp. The key Kp is generated at 
random to encrypt a configurable number of data packets. 
After the configurable number of data packets have been 
sent, a new Kp is generated at random. The transient key Kp 
is used to encrypt an IP data packet, or a collection of IP data 50 
packets. The encryption using Kp limits the amount of data 
in the long-term key which a potential cracker can access. 
Since it is desirable to retain the long-term key for a 
relatively long period of time (one or two years), the actual 



done in the same manner for each node as that described 
herein with reference to node J. However, for simplicity and 
ease of understanding, only the case of node J is described 
in this Specification. 

Upon the receipt of an encrypted data packet from node 
I the internal value of the variable N, at node J is compared 
to the value of N, in the SAID field of the received packet. 
If N,- is greater than node J's internal value Ny, node J 
determines if it has a cached and verified public key for node 



IP data traffic is not encrypted in key [K^Jv In the preferred 55 j. if 00 de J does not have the public key, it obtains a DH 



embodiment of the invention, only the transient keys of the 
long-term key are encrypted using [K.y]^, and die transient 
keys are used to encrypt IP data traffic. Thus, the amount of 
data encrypted in the long-term key [K^b is limited to a 
relatively small amount over a long period of time. 

For purposes of explanation, assume that [K^ is derived 
from *° mod p. As previously noted, the generalized 
one-way function of (A/ * >> mod p may also be used. The 
first time the IP source, such as node I, which has been 



certificate for node I and verifies and extracts a DH public 
value for node I. Node J then computes the value of [K.y]^ 
and decrypts the packet (P) using [K^ and K_. Node J then 
determines if the packet P is a valid encryptedpacket in the 
60 context N. This determination may be accomplished in using 
a number of mechanisms including checksum verifications, 
examining header formats and the like. If the packet is not 
validly encrypted in context N ( , then the data packet is 



considered invalid and discarded. If the data packet (P) is 
provided with the secret value i, communicates with the IP 65 determined to be a valid encrypted packet in the context N,- 
node J which has been provided with a secret value j, the then the internal value of Ny for node J is set equal to N ( . 
node I computes the shared secret Ni> mod p. As will be Normal data packet processing is then done by node J. 
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Continuing to refer now to FIGS. 5(a) and 5(b) t if node J 
determines that the value of N t - in the SAID field is less than 
node J's internal value Ny, the data packet is considered to 
be invalid and discarded. Since in accordance with the 
teachings with the present invention the value of N, and N, 5 
may only increase, the case where a received data packet 
provides a value of N, which is less than N,- denotes an error 
condition. 

If N ( - is equal to N y , node J determines if it has a cached 
and verified DH public key for node I. If node J does not io 
have a cached and verified DH public key for node I, node 
J proceeds to obtain the DH certificate for node I, verifies the 
certificate, and extracts the DH public value for node I. The 
value of [Ky]N t is then determined and cached for later use. p 
As illustrated in FIG. 3, node J then proceeds to decrypt the is 
encrypted value of IC in the received data packet using . .. 
[K.yly and decrypts the IP data utilizing Kp. Node J then 
completes normal packet processing with the decrypted data 
packet. Normal packet processing may include the delivery 
to an appropriate local transport entity, or other outbound 20 
interface. 

Referring briefly to FIG. 6, the Message Indicator (MI) is 
a field that is used to preserve the statelessness of the 
protocol of the present invention. If a single key is used to 
encrypt multiple packets, (which is highly desirable since 25 
changing the key on a per packet basis constitutes significant 
computational overhead) then the packets need to be 
decryptable regardless of lost or out-of-order packets. The 
MI field serves this purpose. The actual content of the MI 
field is dependent on the choice of SKCS used for 1C and its 30 
operating mode. For example, if Kp refers to a block cipher 
(e.g. DES) operating in Cipher- Block-Chaining (CBC) 
mode, then the MI for the first packet encrypted in key Kp 
is the Initialization Vector (IV). For subsequent packets, the 
MI is the last blocksize-bits of ciphertext of the last (in 35 
transmit order) packet. For DES or RC2 this would be 64 
bits. For stream ciphers like RC4, the MI is simply the count 
of bytes that have already been encrypted in key Kp (and 
may also be 64 bits). 

If the source node I decides to change the packet encryp- *° 
tion key Kp, the receiving node J can discover this fact 
without having to perform a public-key operation. The 
receiving node J uses the cached value [K^ to decrypt the 
encrypted packet key K^, and this is a shared-key crypto- 
system operation. Thus, without requiring communication 4 5 
between transmitting (I) and receiving (J) ends, and without 
necessitating the use of a public-key operation, the packet 
encrypting key can be changed by the transmitting side. 

Since DH certificates are used, the nodes I and J have no 
public-key signature algorithm. It will be appreciated that 50 
the lack of a public-key signature algorithm is not a major 
issue, since signing each packet using a public-key crypto- 
system is too cumbersome in any case. In accordance with 
the present invention, the integrity of the packets is deter- 
mined in a pair-wise fashion using a SKCS. 55 

Application of One-Way Functions 

In any security system, it is generally assumed that the 
keys are not compromised. For sake of example, assume that 
a cracker successfully obtains Kp. The cracker can also learn 60 
the encryption of Kp under K^ because this information is 
part of the packet header. The cracker may then send forged 
traffic to cither nodes I or J pretending to be the other node. 
In addition, if a cracker learns a node's secret (e.g., i), this 
allows the cracker to compute K,y= * mod p, and thus to 65 
decrypt all traffic that was encrypted by using K^- as the 
interchange key. 



The protocols described the preceding portions of this 
specification can be employed in a special situation, the 
closed user group, to limit the damage that would otherwise 
occur if an interchange key [K^ is compromised. A closed 
user group is one whose membership is determined once and 
for all at a given point in time; no new members are added 
after that point. The damage limitation feature of the 
invention, explained below, is referred to as "perfect forward 
secrecy." _ 

In accordancewitrfthe teachings of the preceding portions 
of this specification, the nodes of the closed user group wfl^ 
periodically' change the interchange key [K^ which they 
use £T^e>key^iu^!a^y;nart^ t fie 

nodes of - melrcloseafusefi group^mU -lncrejn^n^N^and - thus 
begmusmg-a-newinterchange.key„tK,yl^[r " 

The term "perfect forward secrecy" is used in this speci- 
fication to mean that if an Nth level key [K^ is 
compromised, an intruder will not be able to read traffic 
encrypted with previous keys [K,y]s for S<N. Through an 
appropriate choice of the function f(z) which is used to 
obtain the interchange key [K^. from the previous inter- 
change key [Kyly.!, and with appropriate choice of the 
modulus p, perfect forward secrecy may be achieved. The 
key to perfect forward secrecy is that f be a one-way 
function, that is to say, one which is difficult to invert, so that 
if one knows f(z), it is difficult to compute z. 

An appropriate choice of the function f(z) is exponentia- 
tion by a number M>2 with respect to a modulus p, so that 
ffz)-!^ mod p. If the first interchange key [lCy] Q - w mod p, 
the second key will be fflK^H *)T mod p- mod p, 
the third f*[KA)«< *T mod p- mod p, and so forth, 
with [K,-,]^- mod p for all N. With this choice of the 
function f(z), in order to compute [K,^ given [K^j^ with 
S<N, one simply raises [K^ls to the (M* -5 )!!! power: 

( f-V*" 1 mod p-( V***) mod H mod p. 

In contrast, in order to compute [K^]^.] given [K^Xv, it is 
necessary to take the Mth root of [Kylv modulo p. 

Efficient algorithms for computing Mth roots modulo p 
are known for p prime. One such algorithm is given in Henri 
Cohen, A Course in Computational Algebraic Number 
Theory § 1.6 (1993). These algorithms can be extended to 
composite p whose factorization into primes is known. 
However, no such efficient algorithm is known for comput- 
ing Mth roots modulo p if p is a composite number whose 
factorization into primes is unknown. If there were such an 
efficient algorithm, then the widely used Rivest-Sbamir- 
Adleman (RSA) cryptosystem would be insecure; the fact 
that people have been trying to crack RSA for almost 20 
years provides some assurance that Mth roots modulo a 
composite number are hard to compute. For this reason, if 
ffzj-z*' mod p is chosen as the function for going from the 
Nth to the (N+l)st interchange key, and p is a composite 
number which is difficult to factor, then f(z) is a one-way 
function. 

For exponentiation modulo p to be a true one-way 
function, it is important that p be chosen to be a composite 
number which is difficult to factor. A way of choosing such 
a p is to pick two large prime numbers pj and p 2 and to set 
P*PiP2- More generally, there is considerable experience in 
choosing large numbers which are difficult to factor for use 
in conjunction with the RSA cryptographic algorithm, 
whose security depends on the computational difficulty of 
factoring. 

A further action which is important for ensuring perfect 
forward secrecy is for each node I to delete its own DH 
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secret i after computing the initial set of shared keys K,y- *" It will also be noted that the key management scheme 

mod p for all other nodes J (using those nodes' respective described herein may also be used to provide an integrity 

DH public keys i mod p). This deletion of the DH secret check (in addition to secrecy) for packets. In this case, the 

i is valuable because, in practice it is likely that the key ^ may ^ ^ directly by either node j or node j t0 

compromise of an interchange key [K^k will occur (if it s coajp^ a Message Authentication Code (MAC) either over 

occurs at all) because a cracker has managed to obtain access . . . . . .. . : 

... } . . , j i r i u the enure packet or over the portions that require authenti- 

to the entire contents of some node I, as for example by . v v ^ 

obtaining the password of a user account with complete cation, 
control over the node. When the cracker has complete 

control of a node I, and the DH secret i is still on the node, JQ Improved Application of SKIP to Datagram 

the cracker will be able to compute the initial interchange Multicast Protocols 
keys [K, y ],- ij mod p and thus all subsequent interchange 

keys [Kylv This unfortunate possibility can be avoided by As disclosed in any co-pending parent application, and 

the simple expedient of deleting i once it is no longer incorporated herein by reference, the method of the present 

needed. invention may be used in conjunction with datagram mul- 

Note that if node I deletes its DH secret i, it is no longer 15 ticasting protocols such as IP (or IPng) multicast. This 

possible to add a new member L with a new secret 1 to the application creguires key-management awareness in the 

group in the normal manner, because node I will be unable establishment and joining process of multicast groups, 

to compute the pairwise interchange key K,^ a mod p just Furthermore, in order to distribute mu Iticast keying material, 

from a knowledge of node L's public key mod p. This is the notion of a owner should exist xcuni 

why the perfect forward secrecy scheme just described is 20 multicasting to a multicast address M is required, a group 

suitable primarily for closed user groups to which new membership creation primitive will establish the group key 

modes L are not added. K and the membership list of addresses that are allowed to 

For similar reasons, once a node I determines that com- |r » Bmil and reccivc encrypled mu i U cast datagrams to and 

munication with the other nodes in the user group is pro- from ^ dns& M ^ actioQ be takcn by thc 

ceeding in terms of a particular [K.yXy, so that no further 25 group owner, 
traffic with [K^ for S<N will need to be read or generated, 

then the node should delete any copies it has of [K^j for any The group key^Kj-is^not used as a packet encryption key, 

S<N after a timeout period. The decision that communica- but rather as the Group'Interchange Key (GIK). Namely, _K^ 

tion with the other nodes in the user group is employing a is used as>key-encrypting-key, similar to way the pair key> 

particular [K^ is made as described previously in the 30 [Kjy are .used in SKIP for unicast IP. . 

specification. That is to say, upon the receipt of a data packet Nodes ^^ng to transmit/receive encrypted datagrams to 

(P) in the context N t - (e.g., a data packet from node I), node multicast address M acquire the GIK IC. In the present 

J computes [K,^ and decrypts the data packet P. Node J mveDtioDj tbis fa accomplished by sending an encrypted/ 

then determines whether the data packet was a valid authenticated request-to-join primitive to the group owner. If 

encrypted packet in context N, using one of a number of 35 me requesting node . s address is pa rt of the group's autho- 

mechanisms previously described with reference to FIGS. 4 rizedTm^b^hip-UsCm^ 

and 5. If the packet P is a valid packet in context N„ node aig^ithm-ldentifier, associa ted lifetime- mformation and_l„ 

J sets its internal context N,-N ( and concludes that no further key-change policy 4n-an-encrypted packet, usmg.the-pair-_ 

packets are being originated with contexts S<N t -, so that the Cwise secure] p rotocol previously described in this Specifica- 

old contexts can be discarded after a period of time which 40 j| on 
represents the maximum packet transmission delay in the 

network. This is particularly important for the application of The packet formats for the GIK request/response is given 

this technique to protocols such as IP which do not guarantee below. This describes the payload portion of either a TCP or 

that thc packets arrive in order. UDP packet, which has been enhanced using SKIP unicast 

If exponentiation is being used as thc one-way function 45 procedures. If using UDP, multiple requests may be sent, in 

f(z), and a composite modulus p is being employed, it is case of packet losses of earlier requests/response messages, 

important to note that the modulus p must be obtained from The request is sent to TCP/UDP port # XXXX correspond- 

a source which can be trusted to provide a modulus which ing to the group owner's unicast IP address, 
is difficult to factor. A cracker who managed to give a closed 

user group a p of the cracker's own choosing (for example, 50 0 1 2 3 

a prime p, or a p whose factorization into primes the cracker 0 12345678901 234567890 12345678901 
knows) would be able to invert thc function ffc)-^ mod p, 
thus defeating the perfect forward secrecy function 
described in the preceding paragraphs. Furthermore, if the 

trusted party generated p by multiplying random primes, it 55 
is desirable that the trusted party forget those primes after 

having communicated their product to the nodes in the The first field specifies the version of this protocol, which 
closed user the factorization for as long as a key pair is in use is 1. Following this field is the actual IP multicast address fo r 
As will be appreciated, for closed user groups where each which the GIK is being requested 'The request packet thatlis 
node may precompute all secret values and then discard their 60 sent-musTbave the minimal IPSP enhancement of source- 
secrets, perfect forward secrecy may be obtained using r~ origin authentication, and may optionally be encrypted 5; 
one-way functions f(z). In the event a new node is added to L,and/or_have-playback:protection-by use of'the^scquence 
the closed group, each of the nodes must have a new set of num ber field . The^group owners responseisan'encrypfW^ 
DH certificates/secrets assigned to them. However, for long [packet containing ihe GIK"K^ The response is sent to"/ 
term closed groups, the present invention's application of 65^TCP/UDP^port # XXXX and is addressed tojhe,requestor's / 
oneway functions and the dele tion of each node's DH secret *unicastJE- address. This packeTformaris as follows. As 
value significantly enhances network security. beforeTTt defines the data-portion of a TCP or UDP packet. 



Version = 1 | Reserved 




IP Multicast Address M 
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01234567890123 45 6789012345678901 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
| Version = 1 | Kg algid | Reserved | 
+-+-+.+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
| IP Multicast Address M | 
+-+-+-+-+- + ■+-4--+-+-+-+-+-+- +-+- + •+- +•+■ + ■+-+- + 
| Expiry time (low32-bits) | 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
| Expiry time (high 32-bits) | 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
| Recommended Key Change Interval (in tecs) | 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+*+-+-+*+-+-+ 
| Recommended Key Change Interval (in bytes) | 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
| Kg .... Oengto dependent of Kg algid) | 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 



The 64-bit expiry time specifies when the multicast key is 
considered to have expired. This is in terms of seconds since, 
Jan. 1, 1994, expressed in GMT. The recommended key- 
change interval is what every source of encrypted traffic to 
the multicast group uses to determine the key-change policy. 
There are two ways currently envisioned to specify a key- 
change policy. The first is in terms of elapsed time since last 
key-change. Another is in terms of the amount of data 
encrypted in a given packet encryption key. It is contem- 
plated that each source will use whichever of these methods 
which determines the more frequent key-change policy, 
whether this is in terms of amount of traffic encrypted in a 
given key, or in terms of elapsed time (in seconds) since the 
last key change. 

^Transmittmg-nodes'to:gT^oupJaddr^"Mj^will randomly 

C—nerate^ ^pjeke^^c^tiori^ke ysJ^!^^^crypt1tS^?keys 
ing K_Jhe packet structure is similar to the structure used 
Cforlencrypled unicast SKIP packets, except that the packet 
keys Kp are not encrypted in the pair-wise keys K, y , but 
instead are encrypted using the GIK K g . An example 
encrypted multicast packet is shown below. 



In addition, since all the packet encryption keys are 
randomly generated, and hence different, there is no problem 
in using stream-ciphers with multicast. This is because each 
source of encrypted traffic when using a stream cipher would 
5 use a different key-stream and thus there is no key-stream 
reuse problem. If all members of the multicast group used 
the same packet encryption key, then certain stream ciphers 

could not be used with multicast IP. _ . 

r — An implementation ofithisimprayed protocol will usejthe 
^^0o^m^J^t^^ 1 tff Iffik-tp^e GIK \ g / 
— How-me-ioenuty 6f-the-group-owner is"established"arfd 
communicated to the participating nodes is left to the 
application layer. However, it will be appreciated that this 
should be done in a secure fashion, otherwise the underlying 
key-management facility may be defeated. 

An advantage of the method of the present invention is 
that only the keying information is distributed in a pair-wise 
fashion. The actual encrypted data packet is sent using the 
standard multicast delivery mechanisms, thereby allowing 
the same network bandwidth efficiency that is expected of a 
network layer multicast protocol when operating over sub- 
networks which also support multicasting (for example, 
Ethernet, FDDI, etc). This scheme is considered to scale 
well, even for a large number of nodes, because key-change 
requires no extra communications overhead. 



15 



0 12 3 

01 2345 67 8901 23456789012345678901 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 

Q car IP Header IP protocol = IPSP... 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
Ver. jl|0|0|0|0|0| SAID j 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+*+•+-+-+•+ 

Reserved. | Kpalg | reserved | 
+-+-+-+-+-+-+-+-+-+-+*+*+-+-+-+-+-+-+-+-+-+-+-+ 

Kf encrypted in Kg... (typically 8- 1 6 bytes) 
+■+-+-+-+-+-+-+-+-+-+ 

Message Indicator (e.g. IV)... (typically 8 bytes) 
K-+-+- +-+-+-+- +-+-+-+ 
Begin Protected IPSP Payload... 
+-+-+-+-+-+-+-+-+-+-+-+ 
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The destination IP address will be used by the receiver to 
determine whether to use unicast of multicast key- 
processing procedures on a received IP packet. In case the 
destination address is an IP multicast address, it will use the 
group IK K g to decrypt the packet encryption key Kp. 

There are two distinct advantages of this scheme. Every 
member of the multicast group can change packet encryp- 
tion keys as often as required (in line with the policy set by 
the group owner), without involving key-setup communica- 
tions overhead involving every member of the group. This 
can be extremely frequent, even once every few seconds, 
even with very large multicast groups, because there is no 
extra communications overhead for changing packet encryp- 
tion keys. 



Management of DH Certificates 

Since the nodes' public DH values are communicated in 

30 the form of certificates, the same type of multi-tier certifi- 
cation structure that is being deployed for PEM, and also by 
the European PASSWORD. There may be a Top Level 
Certifying Authority (TLCA) which may constitute the same 
the Internet Policy Registration Authority (IPRA), Policy 

35 Certifying Authorities (PCAs) at the second tier and the 
organizational Certificate Authorities (CAs) below that. 

In addition to the identity certificates, which are part of 
PEM, additional authorization certificates are needed to 
properly track the ownership of IP addresses. Since it is 

40 desirable to directly use IP addresses in the DH certificates, 
name subordination principles alone cannot be used to 
determine if a particular CA has the authority to bind a 
particular IP address to a DH public key. However, the 
present invention may use the X.509/PEM certificate format, 

45 since the subject Distinguished Name (DN) in the certificate 
can be the ASCII decimal representation of an IP (or IPng) 
address. 

Since the nodes only have DH public keys, which have no 
signature capability, the nodes themselves are unable to 

50 issue DH certificates. The node certificates are issued by 
organizational CAs which have jurisdiction over the range 
of IP addresses that are being certified. The PCAs will have 
to perform suitable checks (in line with the policy of that 
PCA), to confirm that the organization which has jurisdic- 

55 tion over a range of addresses is issued a certificate giving 
it the authority to certify the DH values of individual nodes 
with those addresses. This authority may be delegated in the 
form of a authorization certificate signed by the PCA. For 
the purposes of authorization, the CA's Distinguished Name 

60 (DN) will be bound to the range of IP addresses over which 
it has jurisdiction. The CA has either an RSA or DSA 
certificate from the PCA. The CA which has authority over 
a range of IP addresses can delegate authority over part of 
the range to a subordinate CA, by signing another authori- 

65 zalion certificate using its own private key. The organiza- 
tional CA so authorized is identified by the range of 
addresses that it can issue certificates for The range of IP 
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addresses are identified in the certificate in l be form of a IP 
address prefix length list. 
I claim: _ — — — . 

1. An improved method for a first data processing- device J) 
(nod^ ^J)>t6^seridjdata>to>a^sccond data processing-device 5 
(node -J) -in. a multicast_ user„ group-having an address M, 
comprising^ j 

obtaining a groujrinterchange key for node I from a group 
owner, 

independently of node J, randomly generating a transient 
key; 

utilizing said group interchange key to encrypt the ran- 
domly generated transient key; 

/~f^nCTypting r a»data-packet ,to>be' transmitted to said multi^ is 

^sendmg-said'data-packet-encrypted'iismg^iid transient 
key to said multicast address. 

2. A method for a first data processing device (node J) to 
receive data from a second data processing device (node I) 20 
in a multicast user group having an address M, wherein a 
data packet is sent by node I to node J, the data packet being 
encrypted with a transient key and the transient key being 
encrypted utilizing a group interchange kev obtained from a 
group owner, comprising: 

receiving said data packet from node I; and 
obtaining said group interchange key from said group 
owner; 

independently of node I, utilizing said group interchange 
key to decrypt the transient key, and decrypting said 
received data packet using said transient key, 

whereby node J decrypts data received and previously 
encrypledjjy node.I. _ . 

3. ^The'method as defined. b^la^J.,^herein^i|^B 0U P 35 
^interchange, key is a pair wise secreru^-^ia^yjforji 

'shared key-cryptosystenn i (SKCS).^^T^ 

4. ~i rtie^n c thod:a s defined.by-1claim-3,-wh^ein;said|tdata 
pa^keT^^U«ie|Y a destmatkmada^^iand 
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an'SKCS-idenrifier-fiejd^ 



5. The method as defined by claim 4, wherein said data 
packet further includes a message indicator field. 



40 



6. An apparatus for encrypting data for transmission from 
a first data processing device (node I) to at least one second 
data processing device (node I) in a multicast group having 
an address M, comprising: 

a storage device for storing a group interchange key 
obtained from a group owner; 

an encrypting device arranged to encrypt a data packet to 
be transmitted to node J, said encrypting device ran- 
domly and independently of node J generating a tran- 
sient key and encrypting the randomly generated tran- 
sient key using the group interchange key, and 
encrypting said data packet using said transient key; 
and 

an interface circuit arranged to transmit said encrypted 
data packet to said node J at said multicast address. 

7. An apparatus for decrypting data transmitted from a 
first data processing device (node I) to at least a second data 
processing device (node J) in a multicast group having an 
address M, wherein a data packet is sent by node I to node 
J, the data packet being encrypted with a transient key and 
the transient key being encrypted utilizing a group inter- 
change key obtained from a group owner, comprising: 

a receiver for receiving said encrypted data packet from 
node I; and 

a decrypting device coupled to said receiver for decrypt- 
ing said data packet from node I, wherein the decrypt- 
ing device utilizes the group interchange key to decrypt 
the transient key independently of node I and decrypts 
the received data packet using the transient key. 

8. The apparatus as defined by claim 6, wherein said 
group interchange key is a pair wise secret used as a key for 
a shared cryptosystem (SKCS). 

9. The apparatus as defined by claim 8, wherein said data 
packet includes a source address, a destination address and 
an SKCS identifier field. 

10. The apparatus as defined by claim 9, wherein said data 
packet further includes a message indicator field. 
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